ppap13b.ppt
DESCRIPTION
Security, patterns, detectionTRANSCRIPT
An Approach to Formalise Security Patterns
Luis Sergio da Silva Junior,Ecole Polytechnique de Montreal
March, 2013
Sergio An Approach to Formalise Security Patterns 1/ 19
Context
Software Development
• Methods, Techniques and Tools
• Reuse
• Design Patterns
• Security Patterns
Sergio An Approach to Formalise Security Patterns 2/ 19
Security Patterns
Properties
• Group of patterns focused on security context
• Threat, Attack, Attacker, Asset etc
• UML diagrams
• Originally, not formally specified
Sergio An Approach to Formalise Security Patterns 3/ 19
Security Patterns
Example 1
• Single Access Point
• Guard Door
Sergio An Approach to Formalise Security Patterns 4/ 19
Security Patterns
Sergio An Approach to Formalise Security Patterns 5/ 19
Security Patterns
Example 2
• Roles
• Group of roles
• Restrict Access
Sergio An Approach to Formalise Security Patterns 6/ 19
Formal Methods
Definition
Formal Methods (FM) consist of a set of techniques and tools basedon mathematical modeling and formal logic that are used to spec-ify and verify requirements and designs for computer systems andsoftware
OCL and extensions
Petri Nets
ASM
others
Sergio An Approach to Formalise Security Patterns 7/ 19
Formalizing Security Patterns
Correct implementation of restrictions and properties
Avoid Threats and bad implementation
Security Improvement
Sergio An Approach to Formalise Security Patterns 8/ 19
Petri Nets
Places, Tokens and Arcs
Different Types (Coloured, Temporized )
CPN-Tools
Why Petri Nets ?
Sergio An Approach to Formalise Security Patterns 9/ 19
Study Case
Sender-Receiver example
Microarchitecture example
constraint - the size of the message cannot be longerthan 10
Structural analysis - PADL and Reflection structure
Behavioural analysis - Comparison between the pattern andthe Petri Net structure
Sergio An Approach to Formalise Security Patterns 10/ 19
Structural analysis
Pattern detection through structural analysis
Class diagrams
Send its result to the next step
Sergio An Approach to Formalise Security Patterns 11/ 19
Structural analysis
Sergio An Approach to Formalise Security Patterns 12/ 19
Structural analysis
Create a Pattern Model using PADL
Comparison with Real objects - using Java Reflection API
Compare all attributes, associations
Display accuracy.
Sergio An Approach to Formalise Security Patterns 13/ 19
Behavioural analysis
Sergio An Approach to Formalise Security Patterns 14/ 19
Behavioural Analysis
Create Coloured Petri Net Model by CPN-ToolsUsing XML extractor from the .cpn fileUsing Classes, Interfaces to keep the information on JavastructureExtract method internal structure from .java fileCompare expressions and attributions from the java sourcecode with the Petri net arc inscription.Display accuracy
Sergio An Approach to Formalise Security Patterns 15/ 19
Behavioural analysis
Expressions and Attributions
Sergio An Approach to Formalise Security Patterns 16/ 19
Future Work
Testing with a Real System
Single Access Point, Roles, Session
Evaluate Version with Simulation of Petri Net model
More Formal Methods
Provide running analysis.
Sergio An Approach to Formalise Security Patterns 17/ 19
Future Work
Find the pattern in some complex structure
Petri Net restriction - named places and transitions
Different calls, same idea (length and size)
Sergio An Approach to Formalise Security Patterns 18/ 19
Acknowledgment
Sergio An Approach to Formalise Security Patterns 19/ 19